Seven deadliest usb attacks phần 7

Digital Forensic Acquisition Examination
Figure 5.4
Linux Boot Menu Options
8. Press the Tab key once the boot menu appears. The default keyboard type is set
to Belgian. If you have a US keyboard, use the arrow keys to modify the keyb
option, as shown in Figure 5.4. The modified value should now be keyb=US if
this is the keyboard type you have. Press Enter to initialize the system.
Princeton Cold-Boot Attack
To complete this scenario, you will need a Windows machine, Linux on USB, and the
alternate USB drives. Download the USB/PXE Imaging tools (http://citp.princeton.
edu/memory-content/src/bios_memimage-1.2.tar.gz) and place this file on the root of
one of the flash drives (not the one with Linux installed). If you have Internet access
from Linux, these files can be downloaded while booted to this operating system;
otherwise, do so in Windows. To test this against full-disk encryption, you will need
to install this software and encrypt your drive with Advanced Encryption Standard
(AES). XP and Vista home users can use TrueCrypt (www.truecrypt.org/downloads),
and instructions related to installation and encryption can be found in their package,
on the site, or a number of other locations.V
1. Boot into Linux if not there already; don’t forget to modify your keyboard to
enable US type if relevant.
2. Open a root terminal by pressing the start button at the bottom-left-hand portion
of the menu bar, then select Root Terminal, as seen in Figure 5.5.
3. Type cd / and press Enter.
Vwww.informit.com/articles/article.aspx?p=1276279
125
126
CHAPTER 5 RAM dump
Figure 5.5
FCCU Linux Start Menu
4. Type mkdir /ramdump and press Enter.
5. Insert the drive containing the bios_memimage-1.2.tar.gz.
6. Type fdisk –l | grep ‘^Disk’ and press Enter to view all disks.
Tip
Linux is case-sensitive, so use capitals where required.
7. Find your flash drive by checking the size. If they are the same size, the last
drive entered should be assigned a higher alphabet letter.
8. Type mkdir /mnt/sd* and press Enter. “*” is the flash drive letter (for example, /mnt/sdc) containing bios_memimage-1.2.tar.gz and may be unique to each
scenario. If the mount point already exists, move on to the next step.
9. Type mount /dev/sd*1 /mnt/sd* and press Enter.
Warning
Never remove a mounted drive from Linux without using the umount command. The syntax
for this command is umount /mnt/sd*. Removing the drive will prevent new volumes from
being able to mount, and you will have to reboot the system to correct.
10. Type cd /mnt/sd* and press Enter.
11. Type cp bios_memimage-1.2.tar.gz /ramdump and press Enter. Wait until
the drive stops blinking, and the file should be copied over. Validate by ­typing
ls /ramdump, and you should see your file in this folder. Type cd / to get back
Digital Forensic Acquisition Examination
to the root. If you only have two USB ports, this drive will now need to be
unmounted using the umount /mnt/sd* command.
12. Insert the flash drive you will set up to collect the RAM dump. All data on this
drive will be lost.
13. Type fdisk –l | grep ‘^Disk’ and press Enter to view all disks.
Tip
Use the up arrow to pull up a command previously entered.
14. Find your flash drive by checking the size.
Warning
Use extreme caution when performing the next step, as choosing the wrong drive (Windows
system drive) will result in irreparable damage to your hard disk or other media!
15. Type dd if=/dev/zero of=/dev/sd* and press Enter. “*” must be the flash drive
letter you will install the imaging tool to (for example, /dev/sdc). This command will overwrite the drive you will use to collect the RAM dump, with zeros
ensuring that the data collected will contain only relevant information from your
capture. Do not perform this on the /dev/sda partition, as this is will likely be the
Windows or host system drive.
16. Type cd /ramdump and press Enter.
17. Type tar xvfz bios_memimage-1.2.tar.gz and press Enter to unpack the ­tarball.
Note
If you receive any errors related to ownership when unpacking the bios_memimage-1.2.tar.
gz tarball, you will need to take ownership of the file before unpacking it. This can be
accomplished by running chown root bios_memimage-1.2.tar.gz before unpacking the file.
18. Type cd bios_memimage and press Enter.
19. Type make and press Enter to build a 32-bit utility. To build for a 64-bit environment, type make -f Makefile.64. Be sure to use the 64-bit utility if you are
targeting relevant systems. The instructions provided from this point forward
are targeting a 32-bit system.
20. Type cd usb and press Enter.
Warning
Use extreme caution when performing the next step, as choosing the wrong drive will
result in irreparable damage to your hard disk or other media! Also, make sure to use the
device representing the whole disk (for example, /dev/sdc) rather than a disk partition (for
example, /dev/sdc1).
127
128
CHAPTER 5 RAM dump
21. Type sudo dd if=scraper.bin of=/dev/sd*. “*” must be the drive to which you
will be installing the RAM dump tool.
The flash drive should now be good to go. This drive will not need to be unmounted
before removal because we never mounted it. If you had problems compiling the
scraper.bin, there is no need to worry. Darrin Kitchen from Hak5.org has posted a
copy of the 32-bit bin scraper file on his personal site (www.darrenkitchen.net/coldboot-attack). The target machine of which you are wanting a memory image must be
able to boot from a USB drive. Ensure this is the case before proceeding. If you have
two systems available, then leave one of them booted to Linux. This will save you time
in having to recreate the folder, copy the tar file, and extract the image again. Once
again, the reason this might be necessary is due to the nonpersistent Linux image.
Once you have everything in place, insert the configured RAM dump USB drive
into a running Windows (or any other system) computer and force a system reset by
holding the power button or removing the power from the device. If the system is a
laptop, the battery will also have to be removed to cut power. For users with a single
system, shut down the Linux operating system and remove the FCCU live Linux
drive. If this drive is left in the system you will be imaging, it may boot to Linux
instead of the RAM dump drive. Return power to the system, and when the BIOS
screen appears, engage the boot option by pressing F12 and selecting your USB
device to boot from. Some computer manufacturers use a hotkey other than F12;
be sure to invoke the proper key. The scraper utility will automatically engage and
begin dumping the contents of physical RAM. Once complete, the tool will reset
the machine. Now take the USB drive and return to the system where you want to
perform the analysis.
The next steps provided will use the usbdump tool in the same directory where
we unpacked the bios_memimage-1.2.tar.gz package in Linux. Users with a single
computer will need to complete steps 1 to 11 again to reestablish the required files
to complete the remaining steps. The following procedures will create an image file
from the RAM extract so you can run an analysis against it.
1.
2.
3.
4.
5.
6.
Boot into Linux if not there already.
Open a root terminal.
Insert the USB RAM dump drive with which you just collected memory.
Type cd / and press Enter.
Type cd ramdump/bios_memimage/usbdump and press Enter.
Type sudo ./usbdump /dev/sd* > memdump.img and press Enter. The file
labeled “memdump.img” can be called anything you like, although we will reference it as such from here on out.
7. Users with a single computer will need to remove this drive (without unmounting) and insert the other drive to copy the memory image for safekeeping. If this
step is not accomplished, you will lose the image file if Linux is rebooted. Use the
fdisk, mkdir, mount, and cp commands to copy this image file to the flash drive.
The remaining procedures will parse the image file located on the Linux system
and not the flash drive.
Digital Forensic Acquisition Examination
Once you have created an image file from the target system’s RAM, you can
search for AES or RSA keys. The following instructions will walk you through running the aeskeyfind command. The RSA key finder can be run by using the rsakeyfind
command in place of the aeskeyfind below.
1. Boot to Linux if not there already.
2. Type cd /usr/bin and press Enter.
3. Type aeskeyfind -v /ramdump/bios_memimage/usbdump /memdump.img and
press Enter.
4. The utility should now start searching for AES keys located in memory. If found,
the output should look similar to below.
FOUND POSSIBLE 256-BIT KEY AT BYTE 154ce42c
KEY: eb0da2888e3347410d4643c4ed1ebc4e34118aba93b6d314ea25c4b94de91521
EXTENDED KEY:
eb0da2888e3347410d4643c4ed1ebc4e
34118aba93b6d314ea25c4b94de91521
f4545f6b7a67182a77215bee9a3fe7a0
8c641e5a1fd2cd4ef5f709f7b81e1cd6
84c8a907feafb12d898eeac313b10d63
f1acc9a1ee7e04ef1b890d18a39711ce
084a220df6e593207f6b79e36cda7480
a1fb5b6c4f855f83540c529bf79b4355
1450de65e2b54d459dde34a6f1044026
0009529b4f8c0d181b805f83ec1b1cd6
abcc28ab497965eed4a7514825a3116e
3f03d004708fdd1c6b0f829f87149e49
71c713bc38be7652ec19271ac9ba3674
e2f7d5969278088af9778a157e63145c
ca3d594ff2832f1d1e9a0807d7203e73
CONSTRAINTS ON ROWS:
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000
295e3a2cf2832f1d1e9a0807d7203e7363636363000000000000000000000000
7863636300000000000000000000000063636363000000000000000000000000
5563636300000000000000000000000063636363000000000000000000000000
0f63636300000000000000000000000063636363000000000000000000000000
bb63636300000000000000000000000063636363000000000000000000000000
129
130
CHAPTER 5 RAM dump
c863636300000000000000000000000063636363000000000000000000000000
2e63636300000000000000000000000063636363000000000000000000000000
FOUND POSSIBLE 256-BIT KEY AT BYTE 1836a434
KEY: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
EXTENDED KEY:
000102030405060708090a0b0c0d0e0f
101112131415161718191a1b1c1d1e1f
a573c29fa176c498a97fce93a572c09c
1651a8cd0244beda1a5da4c10640bade
ae87dff00ff11b68a68ed5fb03fc1567
6de1f1486fa54f9275f8eb5373b8518d
c656827fc9a799176f294cec6cd5598b
3de23a75524775e727bf9eb45407cf39
0bdc905fc27b0948ad5245a4c1871c2f
45f5a66017b2d387300d4d33640a820a
7ccff71cbeb4fe5413e6bbf0d261a7df
f01afafee7a82979d7a5644ab3afe640
2541fe719bf500258813bbd55a721c0a
4e5a6699a9f24fe07e572baacdf8cdea
24fc79ccbf0979e9371ac23c6d68de36
CONSTRAINTS ON ROWS:
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000
6948172fbb0d7ded3b16ce30696cda326d54b8480a0e0a0e0a0e0a0e0a0e0a0e
b29a81a5000000000000000000000000720676bd000000000000000000000000
69b5cd83000000000000000000000000fec82ba5000000000000000000000000
58fbba6f000000000000000000000000e2d69177000000000000000000000000
1fe3a63900000000000000000000000031467b85000000000000000000000000
b6a85bf0000000000000000000000000deaed73f000000000000000000000000
7cdc8bf900000000000000000000000045804db8a3b9352ffd620c9386f2fa8e
FOUND POSSIBLE 256-BIT KEY AT BYTE 306587dc
KEY: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
EXTENDED KEY:
000102030405060708090a0b0c0d0e0f
101112131415161718191a1b1c1d1e1f
a573c29fa176c498a97fce93a572c09c
Digital Forensic Acquisition Examination
1651a8cd0244beda1a5da4c10640bade
ae87dff00ff11b68a68ed5fb03fc1567
6de1f1486fa54f9275f8eb5373b8518d
c656827fc9a799176f294cec6cd5598b
3de23a75524775e727bf9eb45407cf39
0bdc905fc27b0948ad5245a4c1871c2f
45f5a66017b2d387300d4d33640a820a
7ccff71cbeb4fe5413e6bbf0d261a7df
f01afafee7a82979d7a5644ab3afe640
2541fe719bf500258813bbd55a721c0a
4e5a6699a9f24fe07e572baacdf8cdea
24fc79ccbf0979e9371ac23c6d68de36
CONSTRAINTS ON ROWS:
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000
6948172fbb0d7ded3b16ce30696cda326d54b8480a0e0a0e0a0e0a0e0a0e0a0e
b29a81a5000000000000000000000000720676bd000000000000000000000000
69b5cd83000000000000000000000000fec82ba5000000000000000000000000
58fbba6f000000000000000000000000e2d69177000000000000000000000000
1fe3a63900000000000000000000000031467b85000000000000000000000000
b6a85bf0000000000000000000000000deaed73f000000000000000000000000
7cdc8bf900000000000000000000000045804db8a3b9352ffd620c9386f2fa8e
FOUND POSSIBLE 256-BIT KEY AT BYTE 343017dc
KEY: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
EXTENDED KEY:
000102030405060708090a0b0c0d0e0f
101112131415161718191a1b1c1d1e1f
a573c29fa176c498a97fce93a572c09c
1651a8cd0244beda1a5da4c10640bade
ae87dff00ff11b68a68ed5fb03fc1567
6de1f1486fa54f9275f8eb5373b8518d
c656827fc9a799176f294cec6cd5598b
3de23a75524775e727bf9eb45407cf39
0bdc905fc27b0948ad5245a4c1871c2f
45f5a66017b2d387300d4d33640a820a
7ccff71cbeb4fe5413e6bbf0d261a7df
f01afafee7a82979d7a5644ab3afe640
131
132
CHAPTER 5 RAM dump
2541fe719bf500258813bbd55a721c0a
4e5a6699a9f24fe07e572baacdf8cdea
24fc79ccbf0979e9371ac23c6d68de36
CONSTRAINTS ON ROWS:
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000
6948172fbb0d7ded3b16ce30696cda326d54b8480a0e0a0e0a0e0a0e0a0e0a0e
b29a81a5000000000000000000000000720676bd000000000000000000000000
69b5cd83000000000000000000000000fec82ba5000000000000000000000000
58fbba6f000000000000000000000000e2d69177000000000000000000000000
1fe3a63900000000000000000000000031467b85000000000000000000000000
b6a85bf0000000000000000000000000deaed73f000000000000000000000000
7cdc8bf900000000000000000000000045804db8a3b9352ffd620c9386f2fa8e
Keyfind progress: 100%
Results may vary depending on a number of circumstances. If there are no keys
in memory or the dump process took too long, nothing will turn up. Try encrypting your disk with TrueCrypt or BitLocker using AES, or visit a few Web sites
with Secure Sockets Layer (SSL) encryption. After doing this, repeat the dump and
image-creation process and rerun the aeskeyfind command.
The source package of the aeskeyfind contains a readme file with basic instructions. An AES key fix is also available from the Princeton site for correcting bit
errors that might prevent discovery. The tools will output any keys it is able to
locate.
Another interesting option is to use the strings and grep commands included in
Linux. These can be useful when trying to locate specific instances of remnants in
the system memory image. You can also find instructions for other acquisition and
analysis utilities in the “Advancements in Memory Analysis” section later in this
chapter. Included below is an example of the strings command that can be modified
depending on what you are trying to accomplish.
strings memdump.img | grep keywordtofind
To show you an example of what can be found, this command was run using www
as the key word to find. The below output is a small sample of what was found.
'https://www.verisign.com/repository/RPA0
=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)981>0<
'https://www.verisign.com/repository/CPS
https://www.verisign.com; by E-mail at CPS-requests@verisign.
com; or
Mind Your Memory
4https://www.verisign.com/repository/verisignlogo.gif0
hak5_usb_hacksaw_ver0.2poc.rarhttp://www.hak5.org/releases/2x03/
hacksaw/hak5_usb_hacksaw_ver0.2poc.rarfile:///C:/Documents%20
and%20Settings/Brian/My%20Documents/Downloads/hak5_usb_hacksaw_
ver0.2poc.rar
hak5_usb_hacksaw_ver0.2poc.rarhttp://www.hak5.org/releases/2x03/
hacksaw/hak5_usb_hacksaw_ver0.2poc.rarfile:///C:/Documents%20
and%20Settings/Brian/My%20Documents/Downloads/hak5_usb_hacksaw_
ver0.2poc.rar
Setup_MagicISO.exehttp://www.magiciso.com/Setup_MagicISO.
exefile:///C:/Documents%20and%20Settings/Brian/My%20Documents/
Downloads/Setup_MagicISO.exe
http://www.magiciso.com/download.htm.
is a registered trademark of Heidelberger Druckmaschinen AG and
its subsidiaries.LINOTYPE-HELL AGhttp://www.fonts.dehttp://
www.microsoft.com/typography/designers/hzapf.htmThis font file
came with a piece of Microsoft software and is governed by the
­license agreement for that piece of software. This font may not
be given away, sold, rented or loaned to others in any way, but
you are allowed to make a backup copy of this font file.
Additional licenses may be purchased from Linotype Library GmbH.
See http://www.LinotypeLibrary.com/ for details or write to
Linotype Library GmbH, DuPont Strasse 1, D-61352 Bad Homburg,
Germany, Fax (49)6172-484 499.
@$www
2001 Microsoft Corporation. All rights reserved.TungaRegularTunga
RegularTungaVersion 1.07Tunga-RegularRaghunath Joshi (Type
­Director), Vinay SaynekarTunga is an OpenType font for the Indic
script - Kannada. It is based on Unicode, contains TrueType
outlines and has been designed for use as a UI font.http://www.
ncst.ernet.in/~rkjoshi
www.mozilla.com
Mind Your Memory
Despite the relative immaturity of memory analysis, there is still a remarkable
amount of critical data that can be obtained. Digital investigators have found this avenue extremely beneficial in finding rootkits, encrypted contents, and other advanced
exploit utilities. From an attacker’s perspective, this type of data can provide a trove
of treats. Included below is a high-level summary of the information that can be
obtained from a memory image.
•
•
•
•
•
Keyboard interrupt buffer data (full-disk and BIOS passwords)
Usernames, passwords, and encryption keys (including SSL private and full-disk keys)
OS kernel structures, sockets, processes, and network sessions
Opened files and running programs
Web 2.0 data (instant messaging, Web mail, social networking information)
133
134
CHAPTER 5 RAM dump
These risks are not limited to just USB-type memory acquisition. The Princeton
Cold-Boot Attack paper outlines three different methods that can be used for memory extraction. They provide example code for programs based on a PXE network,
USB, and EFI boot (place RAM into alternate system) to perform the acquisition. All
of these attacks outlined by the researchers are designed to debunk the theory that
RAM state is lost once power is removed. The paper also goes to the extent in applying cooling techniques that can be used to preserve the state for a longer duration. In
this scenario, they used a commonly available can of air inverted and sprayed directly
on the system’s memory modules. Even at normal operating temperatures, they discovered a minimal rate of bit corruption for as long as several seconds, whereas the
cooling technique resisted corruption for up to several minutes.
FireWire provides another avenue to acquire the goods in memory. Early in the
evolution of computers, direct memory access (DMA) controllers were established to
offload intensive tasks from the processor. This technological enhancement is what
made audio cards less erratic and hard drives more efficient. The addition of these
microchips meant the processor no longer had to halt its operations for allocation of
cycles to these reoccurring tasks. Simply put, FireWire’s protocol is granted DMA,
consequently bypassing the operating system’s security mechanisms. The beauty of a
DMA attack is that a device with DMA hardware rights can essentially read or write
to any location in memory without processor intervention. An attack of this type was
established nearly 5 years ago against UNIX machines.W
Tip
Some of the links provided may be in an alternate language. Worldlingo.com and translate.
google.com provide Web-based translators that can be used to interpret these.
A tool released in 2006 by a security consultant transforms the UNIX attack to
take aim at Microsoft.X The tool produced claims to evade native Windows authentication mechanisms by plugging into a target system’s FireWire interface and executing code. The exposure was brought to Microsoft’s attention in 2005, and they
initially seemed apprehensive. Microsoft never acted on this, but they did provide a
response indicating “if a bad guy has unrestricted physical access to your computer,
it’s not your computer anymore.”1 The hack was released primarily due to the lack
of action by the respective vendors to whom the report was issued. In this scenario,
a Linux operating system is attached to the FireWire port on the target computer and
made to masquerade as an iPod. Read and write access to the system memory is then
acquired by the tool, allowing manipulation of the Windows protection processes in
memory.Y This tool is included on the Belgian FCCU live Linux operating system
Whttp://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf
Xwww.storm.net.nz/static/files/ab_firewire_rux2k6-final.pdf
Ywww.storm.net.nz/projects/16
Mind Your Memory
used in the previous section of this chapter. In order to stay true to the title of this
book, these procedures will not be covered at this time.Z
These attacks are intimidating and have raised concerns from the media and security industry experts. Joanna Rutkowska presented a comparable attack at Black Hat
on February 28, 2007, in Washington, DC. The presentation’s primary objective was
to provide research on forensic RAM-gathering techniques based on DMA access.AA
They were able to prove that RAM acquisition is possible, although there is a high
risk of crashing the target machine when accessing the upper memory area.BB They
also concluded that insertion of arbitrary code is possible depending on the specific
configuration of the target host.
If your computer is without a FireWire port, you are not completely removed from
this risk. A laptop with a Personal Computer Memory Card International Association
or ExpressCard slot can easily have a FireWire or any other card type introduced.
Due to these inherent vulnerabilities, installations with elevated security will usually
obtain newer machines that map virtual memory space to the FireWire actual physical memory space. Other tactics include disabling the Open Host Controller Interface
hardware mapping between FireWire and node memory,2 disabling hardware interfaces, or excluding these ports altogether.
TribbleCC is another recent addition to the memory collection repertoire. Joe
Grand (www.grandideastudio.com/) and Brian Carrier (http://digital-evidence.org/)
produced this solution that installs in an expansion card on servers deemed critical.
The card they developed must be installed prior to an incident. A physical switch is
present that can be engaged to activate the card and retrieve the current memory state
and registers of the processor when needed. Once the image is acquired, the card can
be removed and analyzed offline. In February of 2007, patent 7181560 was granted
to the developers for this technology.DD A similar attack strategy was presented at the
EUsecWest conference in Amsterdam on May 27, 2009,EE which further accentuates
the vulnerabilities these unprotected ports can induce.
Attackers are beginning to take notice of the beneficial aspects in collecting RAM
data. A Data Breach Investigation Report release by Verizon in 2009 shows that
RAM-scraper deployments are on the rise.FF RAM scrapers are similar to dumpers
but are usually designed to look for and log specific activity. The particular instance
described in the report grabbed defined content using grep commands to query only
for credit card numbers on a point-of-sale (POS) system. It would then dump the
desired output to a file named dumper.dll, which would later be retrieved by the
Zhttp://blog.security4all.be/2008/03/partytricks-winlockpwn-tutorial-or-how.html
AAhttp://i.i.com.com/cnwk.1d/i/z/200701/bh-dc-07-Rutkowska-ppt.pdf
BBwww.ntsecurity.nu/onmymind/2006/2006-09-02.html
CCwww.digital-evidence.org/papers/tribble-preprint.pdf
DDwww.freepatentsonline.com/7181560.pdf
EEhttps://bob.cat/archive/papers/EUSecWest-2009-Devine-Vissian.ppt
FF www.verizonbusiness.com/resources/security/reports/rp_2009-data-breach-investigations-
­supplemental-report_en_xg.pdf
135
136
CHAPTER 5 RAM dump
attacker through an alternate backdoor. This technique is especially interesting in
that major concerns related to industry-regulated systems center on data encryption
at rest and in transit. The information retained in RAM is almost always left in an
unsecured state.
Advancements in Memory Analysis
In 2005, the Digital Forensic Research Workshop held a memory-analysis challenge geared to promote research and developments in this space.GG Chris Betz,
George Garner Jr., and Robert-Jan Mora emerged as winners of the challenge with
the tools they submitted. Memparser,HH produced by Betz, provides reconstruction
and detailed information about system processes from a memory image. Garner and
Mora teamed up to develop kntlist,II which has acquisition and analysis features
as well as auditing and hash functions for forensic documentation purposes. The
research established here is said to have spurred considerable growth in this sector
of the forensic field. In the next section, we will illustrate how to use a common
analysis tool to extract information from a memory image.
ManTech DD
ManTech Memory DD is an open-source software that can capture physical memory.
It is a General Public Licensed (GPL) software for government and private use and
capable of acquiring memory images from Windows 2000, 2003, XP, Vista, and
2008 systems. This tool is included on the FCCU live Linux distribution previously
used in this chapter; however, we will use it in another manner. In the following
example, we will use it on an authenticated Windows system to gather memory and
then analyze the image using Volatility 3.1 beta, which is also included on the FCCU
live Linux ­installation. Volatility is only able to analyze Windows 2000, XP, 2003,
and 2008 systems. For this reason, we will be capturing a memory image from an XP
SP3 system. The ­following instructions will walk you through this process.
1. In Windows, download the latest version of ManTech DD (http://sourceforge.net/
projects/mdd/files/).
2. Ensure you are logged onto Windows with administrative permissions, then open
a command prompt and change directories to the location where you downloaded
the file.
3. Run the following command: mdd_1.3 –o memdump.dd. MDD version 1.3 is the
currently release at the time this book was written. If a newer file is available, be
sure to change the syntax accordingly.
GGwww.dfrws.org/2005/index.shtml
HHwww.dfrws.org/2005/challenge/memparser.shtml
IIwww.dfrws.org/2005/challenge/kntlist.shtml
Advancements in Memory Analysis
4. This process may take some time to complete depending on the amount of
memory in your system.
5. Once the command completes, copy the newly created image file to a flash
drive.
6. Boot back into Linux. Don’t forget to adjust the keyboard setting if necessary.
7. Open a root terminal and type fdisk –l | grep ‘^Disk’, and then press Enter to
view all disks.
8. Type mkdir /mnt/sd*, where “*” is the drive with the drive memory image, and
press Enter.
9. Now, type mount /dev/sd*1 /mnt/sd* and press Enter.
10. Type cd Volatility-1.3_beta/ and press Enter. This command assumes you are
already in the /home/fccu/ directory.
11. Type python volatility and press Enter. You should see a list of available scripts
which can be run.
12. Now type python volatility pslist -f /mnt/sd*/xpdump.dd. If you stored the
memory image in an alternate directory, be sure to adjust the path accordingly.
The output of the command should appear similar to what is shown below.
Name
Pid PPid Thds
System
4
0
smss.exe
844 4
csrss.exe
920 844
winlogon.exe
944 844
services.exe
988 944
lsass.exe
1000 944
svchost.exe
1168 988
svchost.exe
1236 988
svchost.exe
1356 988
svchost.exe
1480 988
svchost.exe
1552 988
vpnagent.exe
1564 988
spoolsv.exe
1908 988
svchost.exe
1980 988
mDNSResponder.e 2012 988
LSSrvc.exe
152 988
mdm.exe
156 988
svchost.exe
372 988
STUNNEL-4.11.EX 520 988
wdfmgr.exe
660 988
VongoService.ex 680 988
WINVNC.EXE
712 988
hpqwmiex.exe
776 988
alg.exe
1868 988
wscntfy.exe
1504 1356
explorer.exe
1752 480
79
4
13
18
16
22
21
10
79
6
12
3
12
4
9
2
5
8
3
4
3
4
5
6
1
12
Hnds
Time
652
24
616
442
327
410
254
567
1823
87
167
82
141
109
145
29
88
132
69
67
92
79
115
109
37
406
Thu
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Mon
Mon
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
01
10
10
10
10
10
10
10
10
10
10
10
10
10
10
10
10
10
10
10
10
10
10
10
11
11
00:00:00
21:36:39
21:36:41
21:36:43
21:36:44
21:36:44
21:36:44
21:36:44
21:36:45
21:36:45
21:36:45
21:36:45
21:36:45
21:36:46
21:36:46
21:36:46
21:36:46
21:36:46
21:36:46
21:36:47
21:36:47
21:36:47
21:36:47
21:36:50
00:09:16
00:09:16
1970
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
137
138
CHAPTER 5 RAM dump
jusched.exe
412 1752
igfxtray.exe
368 1752
hkcmd.exe
416 1752
igfxpers.exe
1632 1752
SynTPEnh.exe
1760 1752
QPService.exe 832 1752
hpwuSchd2.exe 1636 1752
issch.exe
548 1752
QLBCTRL.exe
596 1752
SBS.EXE
1140 1752
iTunesHelper.ex 280 1752
agent.exe
652 1168
GoogleToolbarNo 1428 1752
ctfmon.exe
668 1752
hpqtra08.exe
912 1752
Tray.exe
1936 1752
wmiprvse.exe
1764 1168
hpqimzone.exe 2184 1584
iPodService.exe 2548 988
hpqste08.exe
2920 912
iexplore.exe
2992 1752
iexplore.exe
3072 2992
ISUSPM.exe
2480 548
hprbUpdate.exe 3452 1636
jucheck.exe
3340 412
iTunes.exe
3408 280
cmd.exe
3568 1140
RAR.EXE
3468 3568
HPZipm12.exe
2672 988
csrss.exe
2164 844
winlogon.exe
2100 844
wscntfy.exe
4036 2100
explorer.exe
3728 1808
jusched.exe
2248 3728
hkcmd.exe
2148 3728
igfxpers.exe
2656 3728
SynTPEnh.exe
3472 3728
QPService.exe 3560 3728
hpwuSchd2.exe 3012 3728
issch.exe
1452 3728
QLBCTRL.exe
1260 3728
SBS.EXE
2816 3728
iTunesHelper.ex 4028 3728
msmsgs.exe 3264 3728
GoogleToolbarNo 1840 3728
ctfmon.exe 1500 3728
btdna.exe 3720 3728
1
3
3
4
4
3
1
1
5
1
9
6
6
1
5
4
6
7
12
3
12
47
3
0
0
19
1
1
0
11
15
1
15
1
3
5
4
3
1
1
7
1
9
3
6
1
7
43
82
87
100
95
118
80
23
154
79
354
237
258
71
203
126
157
247
162
277
391
865
238
−1
−1
955
21
17
−1
261
229
37
511
37
84
99
93
120
28
23
152
40
357
199
260
71
228
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Mon
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
00:09:17
00:09:17
00:09:17
00:09:17
00:09:17
00:09:17
00:09:17
00:09:17
00:09:17
00:09:17
00:09:17
00:09:17
00:09:17
00:09:17
00:09:18
00:09:18
00:09:22
00:09:22
00:09:23
00:09:31
00:09:33
00:09:34
00:10:17
00:11:17
22:49:56
22:50:06
22:55:34
22:55:34
00:25:00
00:25:13
00:25:13
00:25:25
00:25:25
00:25:27
00:25:28
00:25:28
00:25:28
00:25:28
00:25:29
00:25:30
00:25:30
00:25:31
00:25:31
00:25:31
00:25:32
00:25:33
00:25:38
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
Advancements in Memory Analysis
hpqtra08.exe 2192
hpqimzone.exe 3968
hpqste08.exe 2688
HPZipm12.exe 2904
ISUSPM.exe 3820
agent.exe 3928
firefox.exe 3860
cmd.exe
640
mdd_1.3.exe 3256
HPZipm12.exe 3796
3728
1736
2192
988
1452
2100
3824
3728
640
988
6
7
5
0
9
6
18
1
1
0
208
251
276
−1
243
126
390
33
24
−1
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Tue
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
12
12
12
12
12
12
12
12
12
12
00:25:39
00:25:59
00:26:10
00:26:18
00:26:30
00:26:43
00:27:41
00:29:29
00:30:49
00:30:53
2010
2010
2010
2010
2010
2010
2010
2010
2010
2010
You have just reconstructed a process listing from a memory image. To run other
scripts, simply change the pslist portion of the command given in step 10 to reflect
any other command you wish to run (for example, python volatility psscan2 -f /mnt/
sda/tools/mdd/xpdump.dd). Again, the list of volatility commands can be obtained by
typing python volatility while in that directory.
Foremost is a Linux-based utility designed to recover file data in memory and
deleted files on disk. This is another one of many tools included in the FCCU Linux
CD. To view most of the tools installed on this CD, go to the /usr/bin directory and
type ls to view the slew of program options you have at your fingertips. Documentation
for these tools can be found on the FCCU site.JJ
Foremost uses a configuration file to indicate the header and footers that are to
be included in the search. The amount of data this tool provides is quite amazing.
The below command can be run against the xpdump.dd to extract the data contained
in the image file.
foremost -i /mnt/sdc/xpdump.dd -o /mnt/sdc/foremost
Foremost will dump each data type into a relevant directory structure. In the above
example, we are dumping the output back to the flash drive. The output received on
the screen should resemble the following if the command was run successfully.
Processing: /mnt/sda/tools/mdd/xpdump.dd
|*WMV err num_header_objs=-131147587 headerSize=5687684516505947764
*WMV err num_header_objs=-131147587 headerSize=5687684516505947764
*********|
root@fcculive:/bin# ls /mnt/sdc/foremost
audit.txt bmp dll exe gif htm jpg ole png rar wav zip
Once the command has completed the process, you can view the files in their
­corresponding directory structure. The below example shows the output being viewed
in Windows Explorer, as seen in Figure 5.6.
This concludes the testing portion of this chapter. Take some time to read through
the documentation on the FCCU site and have some fun with the tons of tools you
now have at your disposal.
JJwww.lnx4n6.be/index.php
139
140
CHAPTER 5 RAM dump
Figure 5.6
Foremost Output
Additional Analysis Tools
There are a number of other open-source and commercial analysis tools on
the market today. These tools are maturing rapidly, largely motivated by the
­increasing threats that are becoming exclusively memory resident. Listed below
are some of the more common analysis tools that support raw dd-type memory
dumps.KK
• Helix (www.e-fense.com/products.php)
• Access Data Forensic Toolkit (www.accessdata.com/forensictoolkit.html)
• HBGary Responder (www.hbgary.com/products-services/incident-response/)
The licensed utilities will obviously have a higher level of success than the free
version especially for those less savvy; although, equivalent results can be achieved.
Princeton’s experiments in the cold-boot attack illustrate the potential of their
­memory-recovery methods with a few bit errors. These are amazing results considering that even a small amount of error can significantly complicate the recovery of correct cryptographic keys. The example given in the paper states that the extraction of a
KKhttp://blogs.sans.org/computer-forensics/2008/11/19/memory-forensic-analysis-finding-hidden-
processes/
Advancements in Memory Analysis
1GB memory image that contains a 128-bit symmetric key associated to 4-byte code
allows for up to 2 to 28 probable key values.LL If the bit errors begin to affect the memory location of the key, the search can quickly become much more difficult to attain.
Future Memories
In April of 2008, HP announced they had built a working prototype of a groundbreaking component that could allow computers to be instantly initialized from a
powered-off state.MM Memristor, or memory resistor, adds a fourth element to electrical circuit theory that will unite the existing capacitor, resistor, and inductor parts.
Leon Chua first predicted this technology as an engineering professor in 1971.NN
Obviously, this technology is still in its infancy but has enormous potential from
multiple aspects. According to R. Stanley Williams, “Building an analog computer in
which you don’t use 1s and 0s and instead use essentially all shades of gray in between
is one of the things we’re already working on.”3 Researchers also speculate that this
discovery could lead to the creation of systems that have pattern-matching abilities
similar to those of the human brain. The instant-initialization aspect is derived from
the memristor’s ability to retain information even after the power is removed.
How might this impact security and forensic fields? This changes the computational theory fundamentals by merging all memory into a nonvolatile state. At first
glance, it appears all memory will wait in a desirable state, even if the plug is pulled.
Then again, it may take some considerable time to learn how to deal with the new
technologies this spawns, like trying to interpret gray-scale data instead of machine
code. This should be an interesting evolution to observe regardless of where you are
sitting.
The Room with an Evil View
Invisible Things LabOO is a group of Russian researchers who apply cutting-edge
strategies in the areas of computer security. This team specializes in kernel, virtualization, and system-level investigations that are widely cited by international media.
In the last 2 years, they have made appearances at numerous summits and conferences around the globe.
One of their recent contraptions involves an attack on full-disk encryption software using a scenario tagged the evil maid.PP In this particular situation, they portray
a businessperson leaving his or her TrueCrypt- or PGP-encrypted (full disk) laptop
powered off in a hotel room. The immoral maid then enters the room while the user
is gone, armed with nothing more than a USB flash drive. She boots the target system from the USB, and in approximately 2 min, a software sniffer is installed. This
LLhttp://citp.princeton.edu/pub/coldboot.pdf
MMwww.hpl.hp.com/news/2008/apr-jun/memristor.html
NNwww.ieeeghn.org/wiki/images/b/bd/Memristor_chua_article.pdf
OOinvisiblethingslab.com/itl/Welcome.html
PPhttp://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html
141
142
CHAPTER 5 RAM dump
sniffer then records the passcode used to gain access to the system the next time the
user powers on.
In this specific example, the maid returns to the room at a later time to retrieve the
recorded passcode and then copies the entire drive in a decrypted state. The attacker
could just take the machine at this point unless she is concerned about drawing suspicion. A paranoid attacker may choose to include an Internet transfer mechanism
the next time the user connects.
The implementation provided in the next section will guide you through the creation of this USB attack. The program will read the first 63 sectors of the primary
drive for a TrueCrypt loader. If this exists, the code is deployed and hooks into the
TrueCrypt passphrase function to record what is entered. Once complete, the loader
gets packed again and written to disk.
Making Evil Live
The procedures provided were built and tested against Windows XP and Vista ­systems
encrypted with TrueCrypt. You will need a flash drive and a live copy of Linux.
The code for the evil maid can be downloaded from the Invisible Things Web site
(http://invisiblethingslab.com/resources/evilmaid/evilmaidusb-1.01.img).
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Boot into Linux.
Open a root terminal window.
Type mkdir evilmaid. You can call your directory anything you’d like.
Copy evilmaidusb-1.0.1.img to this folder. You can either download it directly
from the URL above or save it to a USB drive and move it over. If you do not
have Internet access from the machine from which you are working, follow
steps 5 to 11 to mount and move the file from a USB drive.
Type fdisk –l | grep ‘^Disk’ and press Enter to view all disks.
Find your flash drive by checking the size. In this example, the drive is /dev/sdc.
The remaining steps will indicate an “*” for this letter. Use the letter that corresponds to your respective flash drive.
Type mkdir /mnt/sd* and press Enter.
Type mount /mnt/sd* and press Enter.
Type cd /mnt/sd* and press Enter.
Type cp evilmaidusb-1.0.1.img /evilmaid and press Enter.
Type cd /evilmaid and press Enter to verify that the file has been successfully
copied.
Insert the flash drive onto which you want to burn the evilmaid image.
Mount the drive and type dd if=/dev/zero of=/dev/sd*. This will overwrite the
drive you plan on using with zeros. Please be careful, as choosing a wrong
device might result in damaging your hard disk or other media! Also, make sure
to use the device representing the whole disk (for example, /dev/sd*) rather than
a disk partition (for example, /dev/sd*1).
Type cd /evilmaid and press Enter.
Type dd if=evilmaidusb.img of=/dev/sd*, where /dev/sd* is your flash drive.
Hindering the Gatherers
You should now have a working evil maid USB flash drive. Boot the target
system from the evil maid USB flash drive and press E to confirm installation of
the software. The system will now be infected with the malware. Once the system
is rebooted and the TrueCrypt passphrase entered, evil maid will store this for later
retrieval. To obtain the recorded keystrokes, simply boot into the evil maid flash
drive again. The software will recognize the installation and pull the password down
for your viewing pleasure.
Warning
Uninstall procedures were not validated during testing of this scenario. The systems tested
against were wiped clean once complete to ensure removal.
Hindering the Gatherers
Guarding against these types of attacks can be difficult, as the attacker only needs
minutes to extract an entire memory image. Some of these attacks could ultimately
result in a confiscated or stolen system. An attacker needs only to pause momentarily
to image the memory of a system before walking off with it. If the system has fulldisk encryption, the attacker can simply return to their lair for decryption at their
leisure.
Security Framework, Programs, and Governance
Large corporations and other paranoid entities have either initiated or instilled a
framework-based information-security program that is overseen by a governing
body. Security programs and governance are still relatively fresh concepts, even to
these savvy organizations. Substantial struggles are often found in the political and
cultural landscapes, while the technical aspects present their own set of challenges.
An information-security program requires the same level of consideration as any
other in the organizational agenda.QQ Management of the program covers a broad
spectrum of activities. Adherence to a solid framework is a fundamental aspect that
can enable a strong foundation upon which to build.RR SANS Institute provides a
large amount of public information on these topics, and a sample of their securityprogram model is included in Figure 5.7 for reference.SS
Governance is another fundamental aspect of a successful security program that
garners less attention. This can be viewed as a nonnegotiable requirement of adequate
QQwww.giac.org/practicals/archives/gsec/14b.pdf
RRhttp://csrc.nist.gov/groups/SMA/fisma/framework.html
SSwww.sans.org/reading_room/whitepapers/auditing/security_program_management_and_risk_1061?
show=1061.php&cat=auditing
143
Steering Committee
CIO
Business
Governance
Framework
Risk
Management
Security
Strategy
Risk
Aggregation
Outsource
Controls
Security
Roadmap
Partner
Agreements
Training
Security
Policy
Infrastructure
Development
Quality
Assurance
Portfolio Programs
Analysis
CISO
Executive Level
Analyze and Strategize
CHAPTER 5 RAM dump
Assess and Align
144
Figure 5.7
SANS Security Program Management
security throughout the enterprise.TT Adequate security is a variable in constant flux as
the threat model continues to expand, so these requirements need constant evaluation.
Elevation of security to the upper echelon can cultivate better attentiveness and effectiveness and swiftly saturate the constant amendments into the minds of management.
If an organization’s management does not establish and reinforce the business
need for effective enterprise security, the organization’s desired state of security
will not be articulated, achieved, or sustained. To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders
at a governance level, not of other organizational roles that lack the authority,
­accountability, and resources to act and enforce compliance.4
A large part of governance is the management and assessment of risk, which
can be an excruciating endeavor, especially for those starting from the ground up.
This issue is amplified for small- to medium-sized business that may not have the
funds or staff to facilitate such a venture. With federal and state regulations creeping into all sectors, it has never been more important to establish a security program. Without this enforcement from Big Brother, most would not deem value
in spending the time or cycles. Cobit, part of the Information Systems Audit and
TTwww.cert.org/governance/